United States Patent and Trademark Ofhce 




[ENTOF COMMERCE 
rademark OfTice 
PATENTS 



Virgima22313-l4S0 
^.uspto.gov 



APPLICATION NO. 


FILING DATE 


FIRST NAMED INVENTOR 


ATTORNEY DOCKET NO. 


CONFIRMATION NO. 


10/060.792 


01/29/2002 


Theron Tock 


0023-0220 


8256 


44987 7590 06/01/2007 

HARRITY SNYDER. LLP 


EXAMINER 


1 1350 Random Hills Road 
SUITE 600 
FAIRFAX, VA 22030 




ALAM. UZMA 




ART UNIT 


PAPER NUMBER 








2157 










MAIL DATE 


DELIVERY MODE 








06/01/2007 


PAPER 



Please find below and/or attached an Office communication concerning this application or proceeding. 

The time period for reply, if any, is set in the attached communication. 



PTOL-90A (Rev. 04/07) 





M|jpilvrClllv/n fHV, 


Appiicani(s; 




iO/nftn 7Q9 


TOCK ET AL. 


Office Action Summary 






Examiner 


Art Unit 






Uzma Alam 


2157 





The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS 
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DETAILED ACTION 

This action is responsive to the response to the amendment filed March 20, 2007. 
1, 13, 19, 31, 32, 34 and 44 are amended. Claims 1-42, 44-50 are pending. 

Claim Rejections - 35 USC § 102 

1 . The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
. States and was published under Article 21(2) of such treaty in the English language. 

2. Claims 1-16, 1 8-40, 42, and 44-50 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Win et al. US Patent No. 6,182,142. Win teaches the invention as claimed 
including access and registry servers to provide secure access to clients (see abstract). 

As per claims 1, 34 and 39 Win et al. teaches a method, system and computer readable 
medium for accessing resources on a private netv^ork via an intermediary server that is outside 
the private network said method comprising: 

(a) receiving a login request from a user for access to the intermediary server that is 
outside the private network (user login to Access Server (106) column 6, lines 6-24, column 9, 
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lines 45-67; a firewall (1 18) separates the Internet and the Access Server (106) Intranet is the 
private network; column 22, lines 50-64; Figures 1 and 8); 

(b) authenticating the user (Authentication Client Module authenticates user by verifying 
user login with Registry Server (108), column 6, lines 49-51); 

(c) subsequently receiving a resource request from the user at the intermediary server, the 
resource request requesting a particular operation with respect to a resource from the private 
network (User selects resource to be accessed from protected server (112), column 6, lines 16- 
24, lines 65-67); 

(d) obtaining access privileges for the user (cookie sent to browser with access privileges; 
column 8, lines 56-67); 

(e) determining whether the access privileges for the user permit the user to perform the 
particular operation at the private network (Access Server decrypts "roles cookie" to determine 
privileges Figure 3 (320), column 8, liens 56-67), and 

(f) preventing performance of the particular operation at the private network such that a 
response to the resource request is not had when said determining (e) determines that the access 
privileges for the user do not permit the user to perform the particular operation at the private 
network (Access restricted (322)). 

As per claims 19 and 44, Win et al. teaches a method for providing remote access to a 
private network via an intermediary server that is outside the private network, said method 
comprising: 
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(a) receiving a login request from a remote user for access to the intermediary server that 
is outside the private network (user login to Access Server (106) column 6, lines 6-24, column 9, 
lines 45-67; a firewall (118) separates the Internet and the Access Server (106) Intranet is the 
private network; column 22, lines 50-64; Figures 1 and 8); 

(b) determining whether the remote user is permitted access to the intermediary server 
(Authentication Client Module authenticates user by verifying user login with Registry Server 
(1 08), column 6, lines 49-5 1); 

(c) granting the remote user access to the intermediary server when said determining (b) 
determines that the remote user is permitted access, the granted access also carries access 
privileges to predetermined portions of the private network (Access Server decrypts "roles 
cookie" to determine privileges Figure 3 (320), column 8, liens 56-67); 

(d) subsequently receiving a resource request from the remote user at the intermediary 
server, the resource request requesting a particular resource (User selects resource to be accessed 
from protected server (112), column 6, lines 16-24, lines 65-67); 

(e) determining whether the resource request from the remote user is permitted by the 
access privileges (Access Server decrypts "roles cookie" to determine privileges Figure 3 (320), 
column 8, liens 56-67) 

(f) supplying the particular resource to the remote user when said determining (e) 
determines that the resource request from the user is permitted (Figure 3C); and 

(g) denying the remote user from access to the particular resource when said determining 
(e) determines that the resource request from the user is not permitted (Access restricted (322)). 
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As per claims 2 and 35, Win et al. teaches a method as recited in claim 1, wherein the 
particular operation is one of a resotirce request, a file access operation or an email operation 
(resource request column 6, lines 65-67) 

As per claim 3 and 36, Win et al. teaches a method as recited in claim 1 wherein said 
authenticating (b) determines whether the user is authenticated based on an external 
authentication server (Access server (106) and registry server (108) that exchange information to 
authenticate a user. Registry server (108) verifies user name and password). 

As per claim 4, Win et al. teaches a method as recited in claim 3 wherein the external 
authentication server is within the private network (Registry server (108) coupled to Access 
server (106), Figure 5 A). 

As per claims 5 and 37, Win et al. teaches a method as recited in claim 1 , wherein the 
intermediary server stores the access privileges for a plurality of users (Access server (106) 
stores Authentication client module, column 6, lines 48-51)). 

As per claim 6, Win et al. teaches a method as recited in claim 1 , wherein the 
intermediary server stores an authentication identifier for each of a plurality of users, the 
authentication identifier identifies an external authentication server to be used to perform said 
authenticating (b) (Access server (106) and registry server (108) that exchange information to 
authenticate a user. Registry server (108) verifies user name and password). 
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As per claim 7, Win et al. teaches a method as recited in claim 6, wherein the external 
authentication server is within the private network (Registry server (108) coupled to Access 
server (106), Figure 5 A). 

As per claim 8, Win et al. teaches a method as recited in claim 7, wherein the 
authentication identifier comprises a network address for the external authentication server 
(column 12, lines 26-67). 

As per claim 9, Win et al. teaches a method as recited in claim 1, wherein the resource 
request is from a client-side application operating on a client machine (column 5, lines 9-15). 

As per claim 10, Win et al. teaches a method as recited in claim 9, wherein the client side 
application is selected from the group consisting of a web browser, an email application or a file 
access application (column 5, lines 9-15). 

As per claim 1 1, Win et al. teaches a method as recited in claim 1, wherein the user is a 
remote user (column 5, lines 9-15). 

As per claims 12 and 38, Win et al. teaches a method as recited in claim 1, wherein the 
resource request is from a client-side application operating on a remote client machine (column 
5, lines 9-15). 
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As per claim 13, Win et al. teaches a method as recited in claim 1, wherein the private 
network is an 25 intranet or a corporate network (column 5, lines 15-17; column 22, lines 50-67). 

As per claim 14, Win et al. teaches a method as recited in claim 1 , wherein the resource 

request is from a network browser (column 5, lines 9-15). 

As per claim 15, Win et al. teaches a method as recited in claim 1 , wherein said method 
further comprises: (g) performing the particular operation at the private network to determine a 
response to the resource request when said determining (e) (column 8, lines 56-60). 

As per claims 16 and 40, Win et al. teaches a method as recited in claims 1 and 34 , 
wherein the user has an Internet Protocol (IP) address associated therewith, and wherein said 
determining (e) comprises: 

(el) determining whether the access privileges for the user permit the user to perform the 
particular operation at the private network (column 8, lines 34-38); and 

(e2) determining whether the IP address associated with the user is authorized (column 8, 
liens 38-41) 

As per claims 18 and 42, Win et al. teaches a method as recited in claims 17 and 40, 
wherein the access privileges comprise permitted operations, authorized IP addresses, and time- 
of-day restrictions for a plurality of users (column 8, lies 34-67). 
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As per claims 20 and 45, Win et al teaches a method as recited in claim 19, wherein said 
supplying (f) comprises: (fl) retrieving the particular resource from a content server (column 8, 
lines 45-55); 

(f2) modifying at least one URL within the particular resource (column 11, lines 55-67); 
and (£3) sending the modified resource to the remote user (column 12, lines 1-10) 

As per claims 21, 23, 46 and 48 Win et al. teaches a method as recited in claim 19 
wherein said supplying (f) comprises: (fl) modifying the response so that links within the 
response point to the intermediate server (column 8, lies 44-55); and 

(£2) sending the modified resource to the remote user (column 9, lines 6-21). 

As per claims 22 and 47, Win et al. teaches a method as recited in claim 19, wherein said 
supplying (f) comprises: (fl) determining a host name for a remote server hosting the particular 
resource being requested (column 8, lines 45-55); 

(f2) sending a request for the particular resource to the remote server based on the 
determined host name (column 11, lies 55-67); and 

(fi) receiving, at the intermediary server, a response to the request from the remote server 
(column 12, lines 1-10). 

As per claim 24 and 28, Win et al. teaches a method as recited in claims 19 and 23, 
wherein the private network is an intranet (column 5, lines 15-17). 
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As per claims 25 and 29, Win et al. teaches a method as recited in claims 19 and 23, 
wherein the resource request is from a network browser (column 5, lines 9-15). 

As per claims 26 and 49, Win et al. teaches a method as recited in claims 23 and 34, 
wherein the resource request is from a client-side application operating on a remote client 
machine (column 5, lines 9-15). 

As per claims 27, 30 and 50, Win et al. teaches a method as recited in claims 25, 19, and 
44 wherein the client-side application is selected from the group consisting of: a web browser, an 
email application or a file access application (column 5, lines 9-15). 

As per claim 31, Win et al. teaches an intermediary server system, comprising: a web 
server that receives requests for resources from client machines via a network (column 7, lines 1- 
21); 

a protocol handler operatively connected to said web server, said protocol handler 
receives the requests for resources, modifies the requests to be directed to appropriate remote 
servers via the private network, and forwards the modified requests for resources to the 
appropriate remote servers (column 21, lies 9-45); 

a content transformer operatively connected to said protocol handler, said content 
transformer receives the resources supplied by the appropriate remote servers in response to the 
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modified requests and modifies the resources such that at least certain links contained therein are 
modified to be directed to said intermediary server system instead of remote servers (column 21, 
lines 45-67; column 22, lines 1-21); and 

an authentication manager that is located outside the private network and manages access 
by said client devices to resources on the private network (user login to Access Server (106) 
column 6, lines 6-24, column 9, lines 45-67; a firewall (118) separates the Internet and the 
Access Server (106) Intranet is the private network; column 22, lines 50-64; Figures 1 and 8). 

As per claim 32 Win teaches an intermediary server system as recited in claim 31, 
wherein said intermediary server system fiirther comprises: 

a data store for storage of session authentication information and access privileges for the 
users (column 6, lines 48-51), 

Wherein access to the resources is not permitted unless the user requesting the access is 
authenticated and has sufficient access privileges (column 8, lines 66-67; column 9, lies 1-5). 

As per claim 33, Win teaches a system as recited in claim 32, wherein said system further 
comprises an authentication server provided within said private network for authenticating the 
users to provide authentication results (column 6, lines 49-51), and 

Wherein said intermediary server permits or denies access to said private network via 
said intermediary server by the users based on the authentication results (column 8, lines 66-67; 
column 9, lies 1-5). 
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As per claim 37, Win teaches a computer readable medium as recited in claim 34 wherein 
the intermediary server stores the access privileges for a plurality of users (Access server (106) 
and registry server (108) that exchange information to authenticate a user. Registry server (108) 
verifies user name and passv^ord), and 

wherein the intermediary server stores an authentication identifier for each of a plurality 
of users, the authentication identifier identifies an external authentication server to be used.to 
perform authentication (Registry server (108) coupled to Access server (106), Figure 5 A). 

Claim Rejections - 35 USC § 103 

3. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between, the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

4. Claims 17 and 41 are rejected under 35 U.S.C. 103(a) as being unpatentable over Win et 
al. US Patent No. 6,182,142 in view of Coley et al. US Patent No. 5,826,014 Coley teaches the 
invention as claimed including a firewall system for protecting network elements connected to a 
public network (see abstract). Win teaches the invention as claimed including access and 
registry servers to provide secure access to clients (see abstract). 
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As per claims 17 and 41, Win et al. teaches a method as recited in claim 16 and 40. Win 
does not teach wherein said determining (e) further comprises: (e3) determining whether time-of- 
day restrictions are satisfied. Coley teaches wherein said determining (e) further comprises: (e3) 
determining whether time-of-day restrictions are satisfied (column 9, lines 61-67; column 10, 
lines 1-26). It would have been obvious to a person of ordinary skill in the art at the time of the 
invention to combine the profiles and roles of Win with the time of day restriction of Coley. A 
person of ordinary skill in the art would have been motivated to do this to restrict access to the 
protected server (Win 112). 

Response to Arguments 

5. Applicant's arguments with respect to claims 1-42, 44-50 have been considered but are 
moot in view of the new ground(s) of rejection. 

Conclusion 

6. Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in^37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
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CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Uzma Alam whose telephone number is (571) 272-3995. The 
examiner can normally be reached on Monday-Tuesday 5:30 AM - 2:00 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ario Etienne can be reached on (571) 272-4001. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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Ua 
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